Communication system and transfer device

ABSTRACT

A video data providing unit ( 10 ) connects to a restricted access providing-side VPN ( 20 ). A streaming server ( 60 ) connects to a restricted access transmitting-side VPN ( 50 ). A router ( 40 ) determines whether or not transmitting-side data such as request data or instruction data received via the transmitting-side VPN ( 50 ) is data that has been transmitted from the streaming server ( 60 ), and whether or not providing-side data such as video data received via the providing-side VPN ( 20 ) is data that has been transmitted from the information providing unit ( 10 ). The router  40  then transfers the transmitting-side data and providing-side data based on those determination results.

TECHNICAL FIELD

The present invention relates to a communication system and a transferdevice.

BACKGROUND ART

Conventionally, there have been communication systems, which transmitvideo data to mobile terminals by streaming (for example, “W-CDMA MOBILECOMMUNICATIONS SYSTEM” edited by Keiji Tachikawa, p. 357-360,Maruzen,Jun. 25, 2001). For example, a communication system, which transmitsvideo data by streaming shown in FIG. 1 has been used. In acommunication system 401 shown in FIG. 1, a plurality of cameras 410recording video data, and a streaming server 430 transmitting video datato a plurality of mobile terminals 440 by streaming, connect to a singlevirtual private network (hereafter, referred to as VPN) 420, and areconnected to each other via the VPN 420. In the communication system401, a camera 410 transmits video data to the streaming server 430 viathe VPN 420. The streaming server 430 then obtains and transmits thevideo data transmitted from the camera 410 to a mobile terminal 440.According to such communication system 410, since the cameras 410 andthe streaming server 430 connect to a single VPN 420, there is anadvantage that security between the cameras 410 and the streaming server430 can be ensured.

In the conventional communication system 401, the cameras 410 and thestreaming server 430 exchange data through connection to a single VPN420. As a result, the cameras 410 providing video data, the streamingserver 430 obtaining and transmitting the video data to a terminal, andthe VPN 420 must have a unified security policy and addressarchitecture.

In addition, since the cameras 410 and the streaming server 430 connectto a single VPN 420, it is necessary to provide as many VPNs 420, eachconnecting between the cameras 410 providing video data and thestreaming server 430 obtaining and transmitting the video data to aterminal, as the number of groups, each needing to ensure securitybetween the cameras 410 and the streaming server 430. As a result, costsfor constructing such VPN 420 may increase widely. More specifically,when there are numerous groups that need to ensure security, it isnecessary to construct as many VPNs 420 as there are cameras 410 and thestreaming server 430 to be connected thereto. As a result, costs haveremarkably increased.

An object of the present invention is to provide a communication system,which has high security and can be constructed at low cost, where aninformation providing-side providing information data and an informationtransmitting-side transmitting the information data obtained from theinformation providing-side to a terminal can maintain their own uniquesecurity policy, and a transfer device used for the communicationsystem.

DISCLOSURE OF INVENTION

A communication system of the present invention comprises an informationproviding unit configured to provide information data, an informationproviding-side network configured to connect the information providingunit and be restricted access, an information transmitter configured toobtain the information data by transmitting request data for requestingthe information data to the information providing unit, and transmitobtained information data to a terminal, an informationtransmitting-side network configured to connect the informationtransmitter and be restricted access, and a transfer unit configured toconnect the information transmitting-side network and the informationproviding-side network, determine whether or not data received via theinformation transmitting-side network (hereafter, referred to astransmitting-side data) is data transmitted from the informationtransmitter, and whether or not data received via the informationproviding-side network (hereafter, referred to as providing-side data)is data transmitted from the information providing unit, and transferthe transmitting-side data and the providing-side data based on thedetermination results.

According to such a communication system, the information providing unitconnects to the restricted access information providing side network.The information transmitter connects to the restricted accessinformation transmitting-side network. Therefore, the informationproviding unit and the information transmitter connect to differentnetworks, respectively. The transfer unit determines whether or nottransmitting-side data is data transmitted from the informationtransmitter, and whether or not providing-side data is data transmittedfrom the information providing unit, and transfers the transmitting-sidedata and the providing-side data based on the determination results.

Therefore, it is unnecessary to construct a network connecting both theinformation transmitter and the information providing unit and having aunified security policy. Accordingly, a group of the informationtransmitter and the information transmitting-side network, and a groupof the information providing unit and the information providing-sidenetwork, may connect via the transfer unit, while maintaining their ownunique security policies, respectively. In addition, the transfer unitdetermines whether or not transmitting-side data and providing-side dataare data that have been transmitted from the information transmitter andthe information providing unit, respectively, and transfers data basedon the determination results. Accordingly, between the group of theinformation transmitter and the transmitting-side network and the groupof the information providing unit and the providing-side network, onlyspecific data that has been transmitted from the information transmitteror the information providing unit is transmitted. Furthermore, access tothe information providing-side network and the informationtransmitting-side network is restricted, respectively. As a result, thecommunication system may ensure high security.

Since it is unnecessary to construct a network connecting both theinformation transmitter and the information providing unit and having aunified security policy, the communication system can be constructed byutilizing the existing information transmitting-side network to whichthe information transmitter is connected and the existing informationproviding-side network to which the information providing unit isconnected. Accordingly, the communication system can be efficientlyconstructed at low cost.

In addition, the communication system may comprise a plurality ofinformation providing-side networks, and the transfer unit may connectthe information transmitting-side network and the plurality ofinformation providing-side networks. As a result, the informationtransmitting-side network and the plurality of informationproviding-side networks can be connected via the transfer unit.Accordingly, even if there are many groups that need to ensure thesecurity between the information providing unit and the informationtransmitter, it is unnecessary to provide as many transmitting-sidenetworks as the number of groups that need to ensure security, so longas as many information providing-side networks as the number of groupsthat need to ensure security are provided. It is also unnecessary toprovide as many networks to which connects the information providingunit and the information transmitter as the number of groups that needto ensure security. Accordingly, the communication system where theinformation providing-side and the information transmitting-side mayhave their own unique security policies can be constructed at low cost.

Furthermore, it is preferable that the transfer unit converts an addressattached to data transmitted to the information providing unit from theinformation transmitter, into an address suitable for the informationproviding-side network (hereafter, referred to as a providing-sideaddress), and converts an address attached to data transmitted to theinformation transmitter from the information providing unit, into anaddress suitable for the information transmitting-side network(hereafter, referred to as a transmitting-side address).

Alteratively, the transfer unit may convert an address attached to datatransmitted to the information providing unit from the informationtransmitter, into an address other than the providing-side address andthe transmitting-side address (hereafter, referred to as a commonaddress), convert a converted common address into the providing-sideaddress, convert an address attached to data transmitted to theinformation transmitter from the information providing unit, into thecommon address, and convert a converted common address into thetransmitting-side address.

Accordingly, the group of the information transmitter and theinformation transmitting-side network, and the group of the informationproviding unit and the information providing-side network, may connectvia the transfer unit, while maintaining their own unique addressarchitecture, respectively. As a result, since it is unnecessary for thecommunication system to unify its address architecture, thecommunication system can be constructed at low cost.

Furthermore, it is preferable that the transfer unit memorizes athreshold value for an amount of the information data from theinformation providing unit for transfer at once, compares the thresholdvalue with an amount of the information data received from theinformation providing unit via the information providing-side network,and controls transfer of the transmitting-side data and theproviding-side data based on the comparison result. Therefore, bydetermining the threshold value for the amount of data for transfer atonce, according to the processing abilities of the informationtransmitting-side network, the information providing-side network, thetransfer unit, and the information transmitter, the quality ofinformation data transmission by the information transmitter, and thenumber of terminals receiving information data, the communication systemcan transfer the transmitting-side data and the providing-side dataappropriately according to the processing abilities of the networks andthe transfer unit, the quality of information data to be provided, andthe number of terminals.

In addition, it is preferable that the communication system transmitsvideo data as the information data. In the communication system of thepresent invention, between the group of the information transmitter andthe transmitting-side network, and the group of the informationproviding unit and or the providing-side network, only specific datathat has been transmitted from the information transmitter or theinformation providing unit is transmitted. Therefore, the informationtransmitter can even efficiently receive large-capacity data such asvideo data. In addition, it is preferable that at least one of theinformation providing-side network and the information transmitting-sidenetwork is a VPN.

A transfer device of the present invention connects an informationproviding-side network connecting an information providing unitproviding information data and being restricted access, and aninformation transmitting-side network connecting an informationtransmitter obtaining the information data by transmitting request datafor requesting the information data to the information providing unitand transmitting obtained information data to a terminal, and beingrestricted access, determines whether or not transmitting-side datareceived via the information transmitting-side network is datatransmitted from the information transmitter, and whether or notproviding-side data received via the information providing-side networkis data transmitted from the information providing unit, and transfersthe transmitting-side data and the providing-side data based on thedetermination results.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a diagram illustrating a conventional communication system;

FIG. 2 is a diagram illustrating a configuration of a communicationsystem according to a first embodiment of a present invention;

FIG. 3 is a block diagram illustrating a configuration of a routeraccording to the first embodiment of the present invention;

FIGS. 4A through 4D are diagrams illustrating address conversionsaccording to the first embodiment of the present invention;

FIG. 5 is a block diagram illustrating a configuration of a streamingserver according to the first embodiment of the present invention;

FIG. 6 is a block diagram illustrating a configuration of a video dataproviding unit according to the first embodiment of the presentinvention;

FIG. 7 is a flow chart illustrating a procedure for a communicationmethod according to the first embodiment of the present invention;

FIG. 8 is a diagram illustrating a configuration of a communicationsystem according to a second embodiment of the present invention;

FIG. 9 is a block diagram illustrating a configuration of a routeraccording to the second embodiment of the present invention;

FIG. 10 is a diagram illustrating a configuration of a communicationsystem according to a third embodiment of the present invention; and

FIG. 11 is a block diagram illustrating a configuration of a routeraccording to the third embodiment of the present invention.

BEST MODE FOR CARRYING OUT THE INVENTION FIRST EMBODIMENT

(Communication System)

As shown in FIG. 2, a communication system 1 comprises a plurality ofvideo data providing units 10, a providing-side VPN 20, a providing-sideserver 30, a router 40, a transmitting-side VPN 50, a streaming server60, and a plurality of mobile terminals 70.

The video data providing units 10 are information providing units, whichprovide information data. The video data providing units 10 providevideo data as information data. Each of the video data providing units10 provides video data only to mobile terminals 70 used by users who areallowed to receive video data, from an information provider who providesinformation data such as video data. Note that in order to receive videodata, a user of a mobile terminal 70 must be allowed to receive videodata from an information provider, and obtain a user ID, a unique callerID for the mobile terminal 70, or a password.

Each of the video data providing units 10 comprises a camera 11 and avideo data providing server 12. The cameras 11 and the video dataproviding servers 12 are provided at multiple locations, such as anelevator, a private residence, a collective housing includingapartments, a kindergarten, a day care center, a school, a publicfacility, a store, a construction site, or a tourist attraction, wherewatching and listening real-time video data therefrom is desired bypeople. As a result, video data includes real-time video data ofmultiple locations, such as an elevator, a private residence, acollective housing, a kindergarten, a day care center, a school, apublic facility, a store, a construction site, or a tourist attraction.As described above, video data includes data for security purposes andcorporate data. Each of the video data providing units 10 provides videodata to the streaming server 60, in response to a request or aninstruction for video data from the streaming server 60. Each of thevideo data providing units 10 connects to the providing-side VPN 20.Each of the video data providing units 10 then transmits video data tothe streaming server 60 via the providing-side VPN 20, the router 40,and the transmitting-side VPN 50.

The providing-side VPN 20 is an information providing-side network,which connects the video data providing units 10 being the informationproviding unit, and is restricted access. The providing-side VPN 20connects to the router 40, and connects to the transmitting-side VPN 50via that router 40. The providing-side VPN 20 comprises anauthentication server 21. The authentication server 21 restricts accessfrom video data providing units 10, the providing-side server 30, andother terminals, which attempt to access the providing-side VPN 20, byauthentication using user IDs, passwords, or caller IDs. As a result,video data providing units 10 and the providing-side server 30 aresubjected to authentication processing when initially accessing andconnecting to the providing-side VPN 20. Note that authentication may becarried out using only a caller ID, using a user ID and a password, orusing a user ID, a password, and a caller ID. The providing-side server30 is a server connecting to the providing-side VPN 20. Theproviding-side server 30 performs various information processing.

The video data providing units 10, the providing-side VPN 20, and theproviding-side server 30 have the same security policy, and use the sameaddress architecture. The video data providing units 10, theproviding-side VPN 20, and the providing-side server 30A, which have aunified unique security policy and a unified unique address architectureare constructed by an information provider.

The streaming server 60 is an information transmitter, which obtainsvideo data as information data, by transmitting request data forrequesting video data to a video data providing unit 10 being theinformation providing unit, and transmits the obtained video data to amobile terminal 70. The streaming server 60 connects to thetransmitting-side VPN 50, and transmits request data or instruction dataincluding instructions for a video data providing unit 10, to a videodata providing unit 10, via the transmitting-side VPN 50, the router 40,and the providing-side VPN 20. In addition, the streaming server 60connects to a mobile terminal 70 via a radio link and transmits thevideo data obtained from the video data providing unit 10, to the mobileterminal 70 by streaming.

The streaming server 60 authenticates a user of a mobile terminal 70. Inthis manner, instead of the video data providing unit 10, the streamingserver 60 confirms whether or not a user of mobile terminal 70 isallowed to receive video data from an information provider. Thestreaming server 60 then transmits request data or instruction data to avideo data providing unit 10, in response to a request from only aspecific mobile terminal 70 of a user, who has been confirmed as a userallowed to receive video data, by authentication processing. As aresult, the video data providing units 10 may provide video data only toa specific mobile terminal 70, which is used by the user allowed toreceive it.

The transmitting-side VPN 50 is an information transmitting-sidenetwork, which connects the streaming server 60 being the informationtransmitter, and is restricted access. The transmitting-side VPN 50connects to the router 40. The transmitting-side VPN 50 connects to theproviding-side VPN 20 via the router 40. The transmitting-side VPN 50comprises an authentication server 51. For the streaming server 60 andother terminals, which attempt to access the transmitting-side VPN 50,the authentication server 51 restricts access using authentication ofuser IDs, passwords, or caller IDs. As a result, when initiallyaccessing and connecting to the transmitting-side VPN 50, the streamingserver 60 is also subjected to authentication processing.

The streaming server 60 and the transmitting-side VPN 50 have the samesecurity policy, and use the same address architecture. The streamingserver 60 and the transmitting-side VPN 50 having a unified uniquesecurity policy and a unified unique address architecture areconstructed by an information transmitter who provides services oftransmitting information data such as video data to mobile terminals 70.

The router 40 connects the transmitting-side VPN 50, which is theinformation transmitting-side network, and the providing-side VPN 20,which is the information providing-side network. The router 40 is atransfer unit, which determines whether or not transmitting-side datareceived via the transmitting-side VPN 50 is data transmitted from thestreaming server 60, and whether or not providing-side data received viathe providing-side VPN 20 is data transmitted from a video dataproviding unit 10, and transfers the transmitting-side data and theproviding-side data, based on those determination results. Note that therouter 40 has function of routing.

Each of the mobile terminals 70 receives video data by connecting to thestreaming server 60 via a radio link. Each of the mobile terminals 70can receive desirable video data, by requesting the streaming server 60to transmit the video data by specifying the type of requested videodata or the location of a camera 11, or instructing the streaming server60 to change a recorded object or a recording angle. Each of the mobileterminals 70 decodes and replays the received coded video data.

Next, each configuration is described in detail. To begin with, therouter 40 is described in detail. As shown in FIG. 3, the router 40comprises interfaces (hereafter, referred to as I/F) 41 and 42, acontroller 43, and a table 44. The I/F 41 connects to thetransmitting-side VPN 50. On the other hand, the I/F 42 connects to theproviding-side VPN 20. Thus, since the router 40 comprises the I/F 41connecting to the transmitting-side VPN 50 and the I/F 42 connecting tothe providing-side VPN 20, the router 40 can connect thetransmitting-side VPN 50 and the providing-side VPN 20. The I/F 41receives transmitting-side data via the transmitting-side VPN 50, andinputs the received transmitting-side data to the controller 43. Inaddition, the I/F 41 transfers the data input from the controller 43 tothe streaming server 60 via the transmitting-side VPN 50. Meanwhile, theI/F 42 receives providing-side data via the providing-side VPN 20, andinputs the received providing-side data to the controller 43. Inaddition, the I/F 42 transfers the data input from the controller 43 toa video data providing unit 10 via the providing-side VPN 20.

The controller 43 controls the transfer of data. To begin with, thecontroller 43 determines whether or not the transmitting-side data isdata that has been transmitted from the streaming server 60, and whetheror not the providing-side data is data that has been transmitted from avideo data providing unit 10, and controls transfer of thetransmitting-side data and the providing-side data based on thosedetermination results. In this case, the router 40 converts an addressattached to data that has been transmitted to a video data providingunit 10 from the streaming server 60, into an address suitable for theproviding-side VPN 20 (hereafter, referred to as a providing-side VPNaddress), converts an address attached to data that has been transmittedto the streaming server 60 from a video data providing unit 10, into anaddress suitable for the transmitting-side VPN 50 (hereafter, referredto as a transmitting-side VPN address), and then transfers the data.Note that the local addresses specified in each network, for example,may be used as a providing-side VPN address and a transmitting-side VPNaddress. As such, the address is attached to data.

Table 44 stores the addresses given to each of the video data providingunits 10 and the streaming server 60. Furthermore, table 44 also storestransmitting-side VPN addresses corresponding to the providing-side VPNaddresses, which are given to each of the video data providing units 10.Similarly, table 44 also stores providing-side VPN addressescorresponding to the transmitting-side VPN addresses, which are given tothe streaming server 60. FIG. 3 illustrates table 44 when aproviding-side VPN address “abcd” is given to a video data providingunit 10 and transmitting-side VPN address corresponding to “abcd” is“ABCD”, and a transmitting-side VPN address “EFGH” is given to thestreaming server 60 and a providing-side VPN address corresponding to“EFGH” is “efgh”.

When the transmitting-side data that the router 40 has received is inputfrom the I/F 41, the controller 43 accesses the table 44 and determineswhether or not the source address attached to the transmitting-side datamatches the address of the streaming server 60 stored in table 44. Forexample, it is assumed that the router 40 has received astransmitting-side data a packet 101, which includes request dataattached a source address and a destination address as shown in FIG. 4A,via the transmitting-side VPN 50. In this case, since the source address“EFGH” of the packet 101 matches the transmitting-side VPN address ofthe streaming server 60 stored in table 44, the controller 43 determinesthat the request data is data transmitted from the streaming server 60.

The controller 43 then obtains the providing-side VPN addressescorresponding to the source address and the destination addressindicated by the transmitting-side VPN addresses of the packet 101, byaccessing table 44. The controller 43 converts the source address “EFGH”and the destination address “ABCD” indicated by the transmitting-sideVPN addresses of the packet 101, into the source address “efgh” and thedestination address “abcd” indicated by the obtained providing-side VPNaddresses, thereby obtains a packet 102 shown in FIG. 4B. Finally, thecontroller 43 inputs the packet 102 with the converted addresses to theI/F 42, and transfers the packet 102 to a video data providing unit 10via the providing-side VPN 20.

Similarly, when the providing-side data that the router 40 has receivedis input from the I/F 42, the controller 43 accesses table 44 anddetermines whether or not the source address attached to theproviding-side data is one of the addresses for the video data providingunits 10 stored in the table 44. For example, it is assumed that therouter 40 has received as providing-side data a packet 103, which isincludes video data attached a source address and a destination addressas shown in FIG. 4C, via the providing-side VPN 20. In this case, sincethe source address “abcd” of the packet 103 matches the providing-sideVPN address of a video data providing unit 10 stored in table 44, thecontroller 43 determines that the video data is data transmitted fromthe video data providing unit 10.

The controller 43 then obtains the transmitting-side VPN addressescorresponding to the source address and the destination addressindicated by the providing-side VPN addresses of the packet 103, byaccessing table 44. The controller 43 converts the source address “abcd”and the destination address “efgh” indicated by the providing-side VPNaddresses of the packet 103, into the source address “ABCD” and thedestination address “EFGH” indicated by the obtained transmitting-sideVPN addresses, thereby obtains a packet 104 shown in FIG. 4D. Finally,the controller 43 inputs the I/F 41 the converted packet 104, andtransfers the packet 104 to the streaming server 60 via thetransmitting-side VPN 50.

Note that when the source address attached to the transmitting-side datathat has been received by the router 40, does not match thetransmitting-side VPN address of the streaming server 60 stored in table44, the controller 43 does not transfer and discards thetransmitting-side data. Similarly, when the source address attached tothe providing-side data that has been received by the router 40, doesnot match the providing-side VPN addresses of the video data providingunits 10 stored in table 44, the controller 43 does not transfer anddiscards the providing-side data.

Furthermore, the controller 43 memorizes a threshold value for an amountof video data from a video data providing unit 10 for transfer at once.The threshold value for the amount of video data may be set according tothe processing abilities of the providing-side VPN 20, thetransmitting-side VPN 50, the router 40, and the streaming server 60,the quality when the streaming server 60 transmits video data to amobile terminal 70, and the number of mobile terminals, which receivevideo data by connecting to streaming server 60 via a radio link. Notethat the amount of video data for transfer at once may be, for example,represented by the amount of data for transfer per unit time, that is,by the transfer speed.

The controller 43 compares the threshold value with the amount of videodata that has been transmitted from a video data providing unit 10 andreceived by the router 40 via the providing-side VPN 20. Note that theamount of video data received by the router 40 may also be representedby, for example, the amount of data to be received by the router 40 perunit time, that is, by the data transfer speed of the providing-side VPN20. The controller 43 then controls transfer of the transmitting-sidedata and the providing-side data based on the comparison result. Morespecifically, when the controller 43 receives request data to a newvideo data providing unit 10, which is not currently providing videodata, from the streaming server 60, the controller 43 transfers therequest data, when the amount of video data being received by the router40 via the providing-side VPN 20 is less than the threshold value.

Meanwhile, when the controller 43 receives request data to a new videodata providing unit 10, which is not currently providing video data,from the streaming server 60, the controller 43 does not transfer therequest data, when the amount of video data received by the router 40via the providing-side VPN 20 is more than or equal to the thresholdvalue. Furthermore, the controller 43 notifies the streaming server 60that the transfer of the request data has been rejected. Morespecifically, the controller 43 inputs the I/F 41 notification oftransfer rejection. The I/F 41 then transmits the notification oftransfer rejection to the streaming server 60 via the transmitting-sideVPN 50. Thus, if the amount of video data from a video data providingunit 10 for transfer at once reaches the threshold value, the router 40rejects a new request for video data from the streaming server 60. As aresult, the router 40 can avoid transferring excessive request data.

Note that such router 40 may be implemented by making a computer run aprogram for causing a computer to function as a transfer device, whichconnects the information providing-side network and the informationtransmitting-side network, determines whether or not transmitting-sidedata is data that has been transmitted from the information transmitter,or whether or not providing-side data is data that has been transmittedfrom the information providing unit, and transfers the transmitting-sidedata and providing-side data based on the determination results.

Next, the streaming server 60 is described in detail. As shown in FIG.5, the streaming server 60 comprises I/Fs 61 and 62, a controller 63, adatabase 64, and a transmitter 65. The I/F 61 connects to mobileterminals 70 via radio links, and transmits/receives data to/from mobileterminals 70. The I/F 61 receives a user ID, a password, and an callerID for authentication, a request for video data by specifying the typeof requested video data or the location of a camera 11, and aninstruction for changing a recorded object or a recording angle, from amobile terminal 70. The I/F 61 inputs the user ID, the password, thecaller ID, the request, and the instruction received from a certainmobile terminal 70 to the controller 63. In addition, video data isinput to the I/F 61 from the transmitter 65. Control data such asinstructions and notifications from the streaming server 60 to themobile terminal 70 is also input to the I/F 61 from the controller 63.The I/F 61 transmits the input video data and control data to the mobileterminal 70 via the radio link.

The I/F 62 connects to the transmitting-side VPN 50. The I/F 62 receivesvideo data from a video data providing unit 10 via the transmitting-sideVPN 50. In addition, the I/F 62 receives notification of transferrejection from the router 40 via the transmitting-side VPN 50. The I/F62 inputs to the controller 63 the received video data and notificationof transfer rejection. In addition, a packet including request data orinstruction data is input to the I/F 62 from the controller 63. The I/F62 transmits the input packet including request data or instruction datato a video data providing unit 10 via the transmitting-side VPN 50.

The database 64 stores user information, such as a user ID, a password,and a caller ID, which have been given to a user of a mobile terminal 70by an information provider. The database 64 also stores informationconcerning the video data providing units 10, such as the type of videodata provided from each video data providing unit 10, locations whereeach of the video data providing units 10 is located, and addresses,which are given to each of the video data providing units 10 andindicated by the transmitting-side VPN addresses. In addition, thedatabase 64 stores control information to be used for obtaining videodata by transmitting request data or instruction data.

The controller 63 controls transmission of the request data orinstruction data to each of the video data providing units 10. Thecontroller 63 also controls transmission of the obtained video data to amobile terminal 70. In addition, the controller 63 authenticates usersof the mobile terminals 70. To begin with, when a request for video datafrom a mobile terminal 70 is input from the I/F 61, the controller 63asks a mobile terminal 70 to transmit its user ID, password, and callerID, and authenticates them. More specifically, once the controller 63receives the user ID, the password, and the caller ID from the mobileterminal 70 via the I/F 61, it then accesses the database 64 anddetermines whether or not the user ID, the password, and the caller IDmatch those stored in the database 64. If the user ID, the password, andthe caller ID do not match, the controller 63 once again asks the mobileterminal 70 to transmit its user ID, password, and caller ID. If theuser ID, the password, and the caller ID do not match those stored inthe database 64, even if authentication is carried out a specifiednumber of times, the controller 63 rejects the request for video datafrom the mobile terminal 70.

Otherwise, if the user ID, the password, and the caller ID match and theuser of the mobile terminal 70 is confirmed as being allowed to receivevideo data, the controller 63 accesses the database 64 and retrieves anaddress, which is indicated by the transmitting-side VPN address, for avideo data providing unit 10 providing video data of a type or alocation requested by the mobile terminal 70. The controller 63 thensets the address of a video data providing unit 10 indicated by thetransmitting-side VPN address as a destination address, sets the addressof the streaming server 60 indicated by the transmitting-side VPNaddress as a source address, and generates a packet 101 as shown in FIG.4A including request data for requesting video data, which type andlocation of the video data are specified. The controller 63 inputs thegenerated packet 101 to the I/F 62 and instructs it to transmit to thevideo data providing unit 10. In addition, when the controller 63receives an instruction from the authorized mobile terminal 70 from theI/F 61, it then generates a packet including instruction data totransmit to the video data providing unit 10, as with the case ofgenerating a packet including request data, and inputs it to the I/F 62.In this manner, the controller 63 requests and instructs a video dataproviding unit 10 to provide video data.

When transmitting request data or instruction data to a video dataproviding unit 10, the controller 63 gives a sequence number to therequest data or instruction data. The controller 63 records controlinformation, which the sequence numbers given to the request data andinstruction data are associated with the address of a mobile terminal 70transmitting the request and instruction to the streaming server 60, tothe database 64.

Video data obtained from a video data providing unit 10 is input to thecontroller 63 via the I/F 62. Video data is given the same sequencenumber as that of the request data or instruction data, which has beentransmitted in order to obtain the video data. The controller 63accesses the database 64 based on the sequence number given to the videodata and retrieves the address of a specific mobile terminal 70transmitting a request or an instruction of the video data. Thecontroller 63 then inputs the obtained video data attached with addressof the mobile terminal 70 to the transmitter 65, and instructs it totransmit to the mobile terminal 70. The transmitter 65 transmits thevideo data input from the controller 63 to the mobile terminal 70 viathe I/F 61. The transmitter 65 transmits the video data by streaming.Note that when the I/F 62 receives notification of transfer rejectionfrom the router 40, the controller 63 generates congestion notification,which notify the mobile terminal 70 that video data cannot be providedsince the network is currently congested. The controller 63 inputs theI/F 61 the generated congestion notification. The I/F 61 then transmitsthe congestion notification to the mobile terminal 70.

Next, a video data providing unit 10 is described in detail. As shown inFIG. 6, a video data providing unit 10 comprises a camera 11 and a videodata providing server 12. The camera 11 is a recording unit, whichrecords video data. The camera 11 operates according to instructionsinput from the video data providing server 12. For example, the camera11 receives an instruction for inputting recorded video data or changinga recorded object and/or a recording angle, from the video dataproviding server 12. The camera 11 records according to the instructionfrom the video data providing server 12, and inputs video data recordedin real time, to the video data providing server 12.

The video data providing server 12 controls the camera 11 based onrequest data or instruction data from the streaming server 60, andprovides video data recorded by the camera 11 to the streaming server60. The video data providing server 12 comprises I/Fs 121 and 122, acontroller 123, and an encoder 124. The I/F 121 connects to theproviding-side VPN 20. The I/F 211 receives request data or instructiondata from the streaming sever 60 via the providing-side VPN 20. The I/F121 inputs the received request data or instruction data to thecontroller 123. In addition, video data is input to the I/F 121 from thecontroller 123. The I/F 121 then transmits the video data input from thecontroller 123 to the streaming server 60 via the providing-side VPN 20.

The I/F 122 connects to the camera 11. The I/F 122 inputs the camera 11an instruction input from the controller 123. In addition, the I/F 122inputs the video data input from the camera 11 to the encoder 124. Theencoder 124 encodes the video data input from the I/F 122. The encoder124 then inputs the encoded video data to the controller 123.

The controller 123 instructs and controls the camera 11 based on therequest data or instruction data input from the I/F 121. The controller123 inputs an instruction of the camera 11 to the I/F 122. In addition,the controller 123 gives the same sequence number to the video datainput from the encoder 124 as that given to the request data orinstruction data regarding the video data. In addition, the controller123 stores the address of the streaming server 60 indicated by theproviding-side VPN address. The controller 63 then sets the address ofthe streaming server 60 indicated by the providing-side VPN address as adestination address, sets the address of the video data providing unit10 indicated by the providing-side VPN address as a source address, andgenerates a packet 103 including video data as shown in FIG. 4C. Thecontroller 63 inputs the generated packet 103 to the I/F 121 andinstructs it to transmit to the streaming server 60.

(Communication Method)

Next, a communication method using the communication system 1 shown inFIG. 2 is described. As shown in FIG. 7, to begin with, a mobileterminal 70 requests video data to the streaming server 60 (S101). Thestreaming server 60 asks the mobile terminal 70 to transmit a user ID,password, and caller ID, and authenticates them (S102). When a user ofthe mobile terminal 70 is determined as being allowed to receive videodata from an information provider, the streaming server 60 transmits apacket including request data to a video data providing unit 10, basedon the request from the mobile terminal 70 (S103). In this case, anaddress indicated by the transmitting-side VPN address is attached tothe request data.

The router 40 receives as transmitting-side data a packet includingrequest data from the streaming server 60 via the transmitting-side VPN50. The router 40 converts the address indicated by thetransmitting-side VPN address, which is attached to the request data,into the address indicated by the providing-side VPN address (S104). Therouter 40 then transfers the packet including request data attached theaddress indicated by the providing-side VPN address, to the video dataproviding unit 10 (S105). The video data providing unit 10 transmitsvideo data corresponding to the received request data to the streamingserver 60 (S106). In this case, an address indicated by theproviding-side VPN address is attached to the video data.

The router 40 receives a packet including video data from the video dataproviding unit 10, as providing-side data, via the providing-side VPN20. The router 40 converts the address indicated by the providing-sideVPN address attached to the video data, into the address indicated bythe transmitting-side VPN address (S107). The router 40 then transfersthe packet including video data attached to the address indicated by thetransmitting-side VPN address, to the streaming server 60(S108). Thestreaming server 60 transmits video data obtained from the video dataproviding unit 10 to the mobile terminal 70 (S109).

According to the communication system 1, router 40, and communicationmethod, the video data providing units 10 connect to the restrictedaccess providing-side VPN 20, and the streaming server 60 connects tothe restricted access transmitting-side VPN 50. Therefore, the videodata providing units 10 and the streaming server 60 connect to differentnetworks, respectively. The router 40 determines whether or nottransmitting-side data such as request data or instruction data receivedvia the transmitting-side VPN 50 is data that has been transmitted fromthe streaming server 60. In addition, the router 40 determines whetheror not providing-side data such as video data received via theproviding-side VPN is data that has been transmitted from a video dataproviding unit 10. The router 40 then transfers the transmitting-sidedata and providing-side data based on those determination results.

Therefore, it is unnecessary to construct a network connecting both thestreaming server 60 and the video data providing units 10 with a unifiedsecurity policy. Accordingly, a group of the streaming server 60 and thetransmitting-side VPN 50, and a group of a video data providing unit 10and the providing-side VPN 20, may connect via the router 40, whilemaintaining their own unique security policies, respectively. Inaddition, the router 40 determines whether or not transmitting-side dataand providing-side data are data that have been transmitted from thestreaming server 60 and a video data providing unit 10, respectively,and transfers data based on that determination result.

Accordingly, the group of the streaming server 60 and thetransmitting-side VPN 50, and the group of the video data providing unit10 and the providing-side VPN 20, only specific data that has beentransmitted from the streaming server 60 or the video data providingunit 10 is transmitted. Furthermore, access to the providing-side VPN 20and the transmitting-side VPN 50 is restricted, respectively. As aresult, the high security of communication system 1 may be ensured.

Since it is unnecessary to construct a network connecting both thestreaming server 60 and the video data providing unit 10, with a unifiedsecurity policy, the communication system 1 can be constructed utilizingthe existing transmitting-side VPN 50 connecting the streaming server 60and the existing providing-side VPN 20 connecting the video dataproviding unit 10, thereby provide video data providing services.Accordingly, the communication system 1 can be efficiently constructedat low cost.

In addition, in the communication system 1, between the group of thestreaming server 60 and the transmitting-side VPN 50, and the group ofthe video data providing unit 10 and the providing-side VPN 20, onlyspecific data that has been transmitted from the streaming server 60 orthe video data providing unit 10 is transmitted. Therefore, thestreaming server 60 can even efficiently receive large-capacity datasuch as video data.

Furthermore, the router 40 converts the address attached to datatransmitted to a video data providing unit 10 from the streaming server60, into the providing-side VPN address, and converts the addressattached to video data transmitted to the streaming server 60 from thevideo data providing unit 10, into the transmitting-side VPN address.Accordingly, the group of the streaming server 60 and thetransmitting-side VPN 50, and the group of the video data providing unit10 and the providing-side VPN 20, may connect via the router 40 whilemaintaining their own unique address architecture, respectively. As aresult, since it is unnecessary for the communication system 1 to unifythe address architecture, the communication system 1 can be constructedat low cost. In addition, the video data providing unit 10 can providevideo data providing services utilizing its own unique address.

Furthermore, the router 40 stores a threshold value for the amount ofvideo data from the video data providing unit 10 for transfer at once.The router 40 then compares the threshold value with the amount of videodata received via the providing-side VPN 20, which has been transmittedfrom the video data providing unit 10, and controls transfer of thetransmitting-side data and the providing-side data based on thecomparison result. In addition, the threshold value for the amount ofdata for transfer at once may be defined according to the processingabilities of the providing-side VPN 20, the transmitting-side VPN 50,the router 40, and the streaming server 60, the quality of video datatransmission to the mobile terminal 70 from the streaming server 60, andthe number of mobile terminals 70 connecting via a radio link to thestreaming server 60 and receiving video data. Therefore, the router 40can transfer data appropriately according to the processing abilities ofthe providing-side VPN 20, the transmitting-side VPN 50, the router 40,and the streaming server 60, the quality of video data transmission tothe mobile terminal 70 from the streaming server 60, and the number ofmobile terminals 70 receiving video data.

SECOND EMBODIMENT

Next, a second embodiment of the present invention is described. Asshown in FIG. 8, a communication system 201 comprises a plurality ofvideo data providing units (A) 10 a, a providing-side VPN (A) 20 a, aproviding-side server (A) 30 a, a plurality of video data providingunits (B) 10 b, a providing-side VPN (B) 20 b, a providing-side server(B) 30 b, a router 40, a transmitting-side VPN 50, a streaming server260, a plurality of mobile terminals (A) 70 a, and a plurality of mobileterminals (a) 70 b. The transmitting-side VPN 50 is the same as thetransmitting-side VPN 50 shown in FIG. 2.

The video data providing units (A) 10 a comprises a camera (A) 11 a anda video data providing server (A) 12 a. The video data providing units(A) 10 a connect to the providing-side VPN (A) 20 a. Each of the videodata providing units (A) 10 a then transmits video data to the streamingserver 260 via the providing-side VPN (A) 20 a, the router 240, and thetransmitting-side VPN 50. The video data providing units (A) 10 aprovides video data only to a specific mobile terminal (A) 70 a, whichis used by a user allowed to receive video data from an informationprovider A. Note that the mobile terminal (A) 70 a is a mobile terminalused by a user who has been allowed to receive video data from theinformation provider A and has obtained a user ID, a password, and ancaller ID for receiving video data.

The providing-side VPN (A) 20 a is an information providing-side networkconnecting the video data providing units (A) 10 a and being restrictedaccess. The providing-side VPN (A) 20 a connects to the router 240, andconnects to the transmitting-side VPN 50 via the router 240. Theproviding-side VPN (A) 20 a comprises an authentication server (A) 21 a.For a video data providing unit (A) 10 a, the providing-side server (A)30 a, and other terminals, which attempt to access the providing-sideVPN (A) 20 a, the authentication server (A) 21 a restricts access usingauthentication of user IDs, passwords, and caller IDs. Theproviding-side server (A) 30 a is a server connecting to theproviding-side VPN (A) 20 a. The providing-side server (A) 30 a performsvarious information processing.

The video data providing units (A) 10 a, the providing-side VPN (A) 20a, and the providing-side server (A) 30 a have the same security policy,and use the same address architecture. The video data providing unit (A)10 a, the providing-side VPN (A) 20 a, and the providing-side server (A)30 a, which have a unified unique security policy and a unified uniqueaddress architecture are constructed by an information provider A.

The video data providing units (B) 10 b comprises a camera (B) 11 b anda video data providing server (B) 12 b. The video data providing units(B) 10 b connect to the providing-side VPN (B) 20 b. The video dataproviding units (B) 10B then transmit video data to the streaming server260 via the providing-side VPN (B) 20 b, the router 240, and thetransmitting-side VPN 50. The video data providing units (B) 10 bprovide video data only to a specific mobile terminal (B) 70 b used by auser who has been allowed to receive video data from an informationprovider B. Note that the mobile terminals (B) 70 b is a mobile terminalused by a user who has been allowed to receive video data from theinformation provider B and has obtained a user ID, a password, and acaller ID for receiving video data.

The providing-side VPN (B) 20 b is an information providing-side networkconnecting the video data providing units (B) 10 b and being restrictedaccess. The providing-side VPN (B) 20 b connects to thetransmitting-side VPN 50, and connects to the transmitting-side VPN 50via the router 240. The providing-side VPN (B) 20 b comprises anauthentication server (B) 21 b. For a video data providing unit (B) 10b, the providing-side server (B) 30 b, and other terminals, whichattempt to access the providing-side VPN (B) 20 b, the authenticationserver (B) 21 b restricts access using authentication of user IDs,passwords, and caller IDs. The providing-side server (B) 30 b is aserver connecting to the providing-side VPN (B) 20 b. The providing-sideserver (B) 30 b performs various information processing.

The video data providing units (B) 10 b, the providing-side VPN (B) 20b, and the providing-side server (B) 30 b have the same security policy,and use the same address architecture. The video data providing units(B) 10 b, the providing-side VPN (B) 20 b, and the providing-side server(B) 30 b, which have a unified unique security policy and a unifiedunique address architecture constructed by an information provider Bthat differs from the information provider A.

As such, the communication system 201 comprises a plurality ofinformation providing-side networks, such as the providing-side VPN (A)20 a and the providing-side VPN (B) 20 b. The video data providing units(A) 10 a and the video data providing units (B) 10 b connect to aplurality of information providing-side networks, that is, theproviding-side VPN (A) 20 a and the providing-side VPN (B) 20 b,respectively. More specifically, as described above, a plurality ofvideo data providing units (A) 10 a, which have the same security policyand use the same address architecture as the providing-side VPN (A) 20a, connect to the providing-side VPN (A) 20 a. On the other hand, aplurality of video data providing units (B) 10 b, which have the samesecurity policy and use the same address architecture as theproviding-side VPN (B) 20 b, connect to the providing-side VPN (B) 20 b.Thus, in the communication system 201, there are s plurality of groupsthat need to ensure the security between an information providing unitand the streaming server 260, including a group between the streamingserver 260 and the video data providing units (A) 10 a, and a groupbetween the streaming server 260 and the video data providing units (B)10 b.

When receiving a request or an instruction for the video data providingunit (A) 10 a from a mobile terminal, the streaming server 260 performsauthentication processing in order to confirm whether or not the user ofthe mobile terminal is allowed to receive video data from theinformation provider A. The streaming server 260 then transmits requestdata or instruction data to the video data providing unit (A) 10 a, inresponse to a request only from the mobile terminal (A) 70 a used by auser who has been confirmed as being allowed to receive video data fromthe information provider A. The streaming server 260 then transmits tothe mobile terminal (A) 70 a video data, which is obtained bytransmitting request data or instruction data to the video dataproviding unit (A) 10 a.

Similarly, when receiving a request or an instruction for the video dataproviding unit (B) 10 b from a mobile terminal, the streaming server 260performs authentication processing, which confirms whether or not a userof the mobile terminal is allowed to receive video data from theinformation provider B. The streaming server 260 then transmits requestdata or instruction data to the video data providing unit (B) 10 b, inresponse to a request only from the mobile terminal (B) 70 b used by auser who has been confirmed as being allowed to receive video data fromthe information provider B. The streaming server 260 then transmits tothe mobile terminal (B) 70 b video data, which is obtained bytransmitting request data or instruction data to the video dataproviding unit (B) 10 b.

As a result, the video data providing units (A) 10 a can provide videodata only to a mobile terminal (A) 70 a, which is used by a user allowedby the video data provider A. On the other hand, each of the video dataproviding units (B) 10 b can provide video data only to a mobileterminal (B) 70 b, which is used by a user allowed by the video dataprovider B. Otherwise, the streaming server 260 is substantially thesame as the streaming server 60 shown in FIGS. 2 and 5.

As shown in FIG. 9, the router 240 comprises I/Fs 241, 242 a, and 242 b,a controller 243, and a database 244. The I/F 241 connects to thetransmitting-side VPN 50. The I/F 242 a connects to the providing-sideVPN (A) 20 a. The I/F 242 b connects to the providing-side VPN (B) 20 b.Thus, since the router 240 comprises the I/F 241 connecting to thetransmitting-side VPN 50, the I/F 242 a connecting to the providing-sideVPN (A) 20 a, and the I/F 242 b connecting to the providing-side VPN (B)20 b, the router 240 may connect the transmitting-side VPN 50 and theproviding-side VPN (A) 20 a, and the transmitting-side VPN 50 and theproviding-side VPN (B) 20 b, respectively. In other words, if the router240 has as many I/Fs, which connect to the respective informationproviding-side networks, as the number of information providing-sidenetworks, the router 240 may connect between the informationtransmitting-side network and a plurality of information providing-sidenetworks, respectively. Note that the router 240 has function ofrouting.

The I/F 241 is substantially the same as the I/F 41 shown in FIG. 2.Meanwhile, the I/F 242 a receives providing-side data via theproviding-side VPN (A) 20 a, and inputs the received providing-side datato the controller 243. In addition, the I/F 242 a transfers data inputfrom the controller 243 to the video data providing unit (A) 10 a viathe providing-side VPN (A) 20 a. The I/F 242 b receives providing-sidedata via the providing-side VPN (B) 20 b, and inputs the receivedproviding-side data to the controller 243. In addition, the I/F 242 btransfers data input from the controller 243 to the video data providingunit (B) 10 b via the providing-side VPN (B) 20 b.

The controller 243 determines whether or not the transmitting-side datareceived via the transmitting-side VPN 50 is data that has beentransmitted from the streaming server 260, and whether or not theproviding-side data received via the providing-side VPN (A) 20 a or theproviding-side VPN (B) 20 b is data that has been transmitted from thevideo data providing unit (A) 10 a or the video data providing unit (B)10 b, and controls transfer of the transmitting-side data and theproviding-side data based on those determination results.

In this case, the router 240 converts the address attached to data thathas been transmitted to the video data providing unit (A) 10 a from thestreaming server 260, into an address suitable for the providing-sideVPN (A) 20 a (hereafter, referred to as a providing-side VPN (A)address), converts the address attached to data that has beentransmitted to the video data providing unit (B) 10 b from the streamingserver 260, into an address suitable for the providing-side VPN (B) 20 b(hereafter, referred to as a providing-side VPN (B) address), convertsthe address attached to data that has been transmitted to the streamingserver 260 from the video data providing unit (A) 10 a or the video dataproviding unit (B) 10 b, into a transmitting-side VPN address, and thentransfer data.

The database 244 comprises tables 244 a and 244 b. Table 244 a storesaddresses given to each of the video data providing units (A) 10 a andthe streaming server 260. Furthermore, table 244 a storestransmitting-side VPN addresses corresponding to the providing-side VPN(A) addresses, which are given to each of the video data providing units(A) 10 In addition, table 244 a stores providing-side VPN (A) addressescorresponding to the transmitting-side VPN addresses, which are given tothe streaming server 260. FIG. 9 illustrates table 244 a, which: aproviding-side VPN (A) address “abcd” is given to the video dataproviding unit (A) 10 a and corresponding transmitting-side VPN addressis “ABCD”; and a transmitting-side VPN address “EFGH” is given to thestreaming server 260 and corresponding providing-side VPN (A) address is“efgh”.

On the other hand, table 244 b stores addresses given to each of thevideo data providing units (B) 10 b and the streaming server 260.Furthermore, table 244 b stores transmitting-side VPN addressescorresponding to the providing-side VPN (B) addresses, which are givento each of the video data providing units (B) 10 b. In addition, table244 b stores providing-side VPN (B) addresses corresponding to thetransmitting-side VPN addresses, which are given to the streaming server260. FIG. 9 illustrates table 244 b, which a providing-side VPN (B)address “1234” is given to the video data providing unit (B) 10 b andcorresponding transmitting-side VPN address is “IJKL” and atransmitting-side VPN address “EFGH” is given to the streaming server260 and corresponding providing-side VPN (B) address is “5678”.

When the controller 243 receives the transmitting-side data, which therouter 240 have received, from the I/F 241, it then accesses tables 244a and 244 b and determines whether or not the source address attached tothe transmitting-side data matches the address of the streaming server260 stored in tables 244 a and 244 b. In the case of FIG. 9, when thesource address matches the transmitting-side VPN address of thestreaming server 260 “EFGH” stored in tables 244 a and 244 b, thecontroller 243 determines that the transmitting-side data, such asrequest data or instruction data, is data that has been transmitted fromthe streaming server 260.

The controller 243 then accesses tables 244 a and 244 b, and retrieves adestination address indicated by the transmitting-side VPN address. Forexample, when a destination address is “ABCD” and matches thetransmitting-side VPN address stored in table 244 a, the controller 243obtains the providing-side VPN (A) addresses corresponding to the sourceaddress “EFGH” and the destination address “ABCD”, which are indicatedby the transmitting-side VPN addresses, from table 244 a.

The controller 243 converts the source address “EFGH” indicated by thetransmitting-side VPN address into the obtained providing-side VPN (A)address “efgh”, and converts the destination address “ABCD” indicated bythe transmitting-side VPN address into the obtained providing-side VPN(A) address “abcd”. Finally, since the destination address is “abcd”indicated by the providing-side VPN (A) address, the controller 243determines that the received request data or instruction data is to betransmitted to the video data providing unit (A) 10 a. The controller243 then inputs a packet including request data or instruction data,which is attached the converted source address and the converteddestination address to the I/F242 a, and transfers the packet to thevideo data providing unit (A) 10 a via the providing-side VPN (A) 20 a.

Meanwhile, when a destination address is “IJKL” and matches thetransmitting-side VPN address stored in table 244 b, the controller 244obtains the providing-side VPN (B) addresses corresponding to the sourceaddress “EFGH” and the destination address “IJKL”, which are indicatedby the transmitting-side VPN addresses, from table 244 b. The controller243 converts the source address “EFGH” indicated by thetransmitting-side VPN address into the obtained providing-side VPN (B)address “5678”, and converts the destination address “IJKL” indicated bythe transmitting-side VPN address into the obtained providing-side VPN(B) address “1234”. Finally, since the destination address is “1234”indicated by the providing-side VPN (B) address, the controller 243determines that the received request data or instruction data is to betransmitted to the video data providing unit (B) 10 b. The controller243 then inputs a packet including request data or instruction data,which is attached the converted source address and the converteddestination address to the I/F242 b, and transfers the packet to thevideo data providing unit (B) 10 b via the providing-side VPN (B) 20 b.

When the controller 243 receives video data, which the router 240 hasreceived via the providing-side VPN (A) 20 a, from the I/F 242 a, itthen accesses table 244 a and determines whether or not the sourceaddress attached to the video data matches the address of the video dataproviding unit (A) 10 a stored in table 244 a. In the case of FIG. 9,when the source address matches the providing-side VPN (A) address“abcd” of the video data providing unit (A) 10 a stored in table 244 a,the controller 243 determines that the video data being theproviding-side data is the data that has been transmitted from the videodata providing unit (A) 10 a.

The controller 243 then accesses the table 244 a and obtainstransmitting-side VPN addresses corresponding to the source address“abcd” and the destination address “efgh”, which are indicated by theproviding-side VPN (A) addresses. The controller 243 converts the sourceaddress “abcd” indicated by the providing-side VPN (A) address into theobtained transmitting-side VPN address “ABCD”, and converts thedestination address “efgh” indicated by the providing-side VPN (A)address into the obtained transmitting-side VPN (A) address “EFGH”.Finally, the controller 243 inputs a packet including video data, whichis attached the converted source address and the converted destinationaddress to the I/F 241, and transfers the packet to the streaming server60 via the transmitting-side VPN 50.

Meanwhile, when the controller 243 receives video data, which the router240 has received via the providing-side VPN (B) 20 b, from the I/F 242b, it then accesses table 244 b and determines whether or not the sourceaddress attached to the video data matches the address of the video dataproviding unit (B) 10 b stored in table 244 b. In the case of FIG. 9,when the source address matches the providing-side VPN (B) address“1234” of the video data providing unit (B) 10 b stored in table 244 b,the controller 243 determines that the video data being theproviding-side data is data that has been transmitted from the videodata providing unit (B) 10 b.

The controller 243 then accesses the table 244 b and obtainstransmitting-side VPN addresses corresponding to the source address“1234” and the destination address “5678”, which are indicated by theproviding-side VPN (B) addresses. The controller 243 converts the sourceaddress “1234” indicated by the providing-side VPN (B) address into theobtained transmitting-side VPN address “IJKL”, and the destinationaddress “5678” indicated by the providing-side VPN (B) address into theobtained transmitting-side VPN address “EFGH”. Finally, the controller243 inputs a packet including video data, which is attached theconverted source address and the converted destination address to theI/F 241, and transfers the packet to the streaming server 60 via thetransmitting-side VPN 50.

Note that when the source address attached to the transmitting-side datathat has been received by the router 240, does not match thetransmitting-side VPN address of the streaming server 60 stored in thetable 244 a or 244 b, the controller 243 does not transfer and discardsthe data. Similarly, when the source address attached to theproviding-side data that has been received by the router 240 via theproviding-side VPN (A) 20 a or the providing-side VPN (B) 20 b, does notmatch the addresses of the video data providing unit (A) 10 a and videodata providing unit (B) 10 b, which are indicated by the providing-sideVPN (A) address and the providing-side VPN (B) address, respectively,and stored in tables 244 a and 244 b, the controller 243 does nottransfer and discards the data.

Furthermore, the controller 243 stores a threshold value for the amountof video data from the video data providing unit (A) 10 a and the videodata providing unit (B) 10 b for transfer at once. The threshold valuefor the amount of data may be set according to the processing abilitiesof the providing-side VPN (A) 20 a, the providing-side VPN (B) 20 b, thetransmitting-side VPN 50, the router 240, and the streaming server 260,the quality of video data transmission to the mobile terminal (A) 70 aand the mobile terminal (B) 70 b from the streaming server 260, and thenumber of mobile terminals (A) 70 a and the mobile terminals (B) 70 b,which connect to the streaming server 260 via a radio link and receivevideo data.

The controller 243 compares the threshold value with the amount of videodata received by the router 240 via the information providing-sidenetwork, that is, the total amount of video data received by the router240 via the providing-side VPN (A) 20 a and video data received by therouter 240 via the providing-side VPN (B) 20 b. When request data of anew video data providing unit (A) 10 a or video data providing unit (B)10 b, which is not currently providing video data, is received from thestreaming server 260, the controller 243 then transfers the requestdata, if the total amount of video data received by the router 240 viathe providing-side VPN (A) 20 a and video data received by the router240 via the providing-side VPN (B) 20 b is less than the thresholdvalue.

Meanwhile, when the request data of a new video data providing unit (A)10 a or a new video data providing unit (B) 10 b, which is not currentlyproviding video data, is received from the streaming server 260, thecontroller 243 does not transfer the request data, if the total amountof video data received by the router 240 via the providing-side VPN (A)20 a and video data received by the router 240 via the providing-sideVPN (B) 20 b is more than or equal to the threshold value. Otherwise,the controller 243 is substantially the same as the controller 43 shownin FIG. 3.

According to the communication system 201 and router 240, almost thesame effects as those according to the communication system 1 and therouter 40 shown in FIG. 2 can be obtained. In addition, thecommunication system 201 comprises a plurality of informationproviding-side networks including the providing-side VPN (A) 20 a andthe providing-side (B) 20 b. The video data providing unit (A) 10 a andthe video data providing unit (B) 10 b connect to the plurality ofinformation providing-side networks, that is, the providing-side VPN (A)20 a and the providing-side (B) 20 b, respectively. The router 240connects between the transmitting-side VPN 50 and the providing-side VPN(A) 20 a, and between the transmitting-side VPN 50 and theproviding-side VPN (B) 20 b, respectively.

Therefore, the communication system 201 can connect thetransmitting-side VPN 50 to a plurality of information providing-sidenetworks, that is, the providing-side VPN (A) 20 a and theproviding-side VPN (B) 20 b via the router 240. Accordingly, even ifthere are many groups that need to ensure the security between thestreaming server 260 and the information providing units, including agroup between the streaming server 260 and the video data providingunits (A) 10 a, and a group between the streaming server 260 and thevideo data providing units (B) 10 b, it is unnecessary to provide asmany transmitting-side VPNs 50 as the number of groups that need toensure security, so long as there are provided as many informationproviding-side networks, such as the providing-side VPN (A) 20 a or theproviding-side VPN (B) 20 b, as the number of groups that need to ensuresecurity.

For example, as shown in FIG. 8, the transmitting-side VPN 50, therouter 240, and the streaming-server 260 can sufficiently function asthey are, and it is unnecessary to provide a plurality oftransmitting-side VPNs, a plurality of routers, and a plurality ofstreaming servers. It is also unnecessary to provide as many networksconnecting both the information providing unit and the streaming server260 as the number of groups that need to ensure security. Accordingly,the communication system 201, in which the information providing-sideproviding video data and the information transmitting-side can keeptheir own unique security policies,, can be constructed at low cost.

THIRD EMBODIMENT

As shown in FIG. 10, a communication system 301 comprises a plurality ofvideo data providing units 10, a providing-side asynchronous transfermode (ATM) network 320, a providing-side server 30, a router 340, atransmitting-side ATM network 350, a streaming server 60, and aplurality of mobile terminals 70. The video data providing units 10, theproviding-side server 30, the streaming server 60, and the mobileterminals 70 are substantially the same as the video data providingunits 10, the providing-side server 30, the streaming server 60, and themobile terminals 70 shown in FIG. 2.

The providing-side ATM network 320 is an information providing-sidenetwork connecting the video data providing units 10 and beingrestricted access. The providing-side ATM network 320 connects to therouter 340, and connects to the transmitting-side ATM network 350 viathe router 340. The providing-side ATM network 320 comprises anauthentication server 321. For the video data providing units 10, theproviding-side server 30, and other terminals, which attempt to accessthe providing-side ATM network 320, the authentication server 321restricts access by using user IDs, passwords, and caller IDs. The videodata providing units 10, the providing-side ATM network 320, and theproviding-side server 30 have the same security policy, and use the sameaddress architecture the video data providing units 10, theproviding-side ATM network 320, and the providing-side server 30, whichhave the same unique security policy and use the same unique addressarchitecture, are constructed by an information provider.

The transmitting-side ATM network 350 is an information providing-sidenetwork connecting the streaming server 60 and being restricted access.The transmitting-side ATM network 350 connects to the router 340. Thetransmitting-side ATM network 350 connects to the providing-side ATMnetwork 320 via the router 340. The transmitting-side ATM network 350comprises an authentication server 351. For the streaming server 60 andother terminals, which attempt to access the transmitting-side ATMnetwork 350, the authentication server 351 restricts access usingauthentication of user IDs, passwords, and caller IDs. The streamingserver 60 and the transmitting-side ATM network 350 have the samesecurity policy, and use the same address architecture. Thetransmitting-side ATM network 350 and the streaming server 60, whichhave a unified unique security policy and a unified unique addressarchitecture, are constructed by an information provider.

As shown in FIG. 11, the router 340 comprises I/Fs 341 and 342, acontroller 343, and a database 344. The I/F 341 connects to thetransmitting-side ATM network 350. On the other hand, the I/F 342connects to the providing-side ATM network 320. Thus, since the router340 comprises the I/F 341 connecting to the transmitting-side ATMnetwork 350 and the I/F 342 connecting to the providing-side ATM network320, the router 340 may connect between the transmitting-side ATMnetwork 350 and the providing-side ATM network 320. Otherwise, the I/Fs341 and 342 are substantially the same as the I/Fs 41 and 42 shown inFIG. 3. Note that the router 340 has function of routing.

The controller 343 determines whether or not the transmitting-side datareceived via the transmitting-side ATM network 350 is data that has beentransmitted from the streaming server 60, and whether or not theproviding-side data received via the providing-side ATM network 320 isdata that has been transmitted from the video data providing unit 10,and controls transfer of the transmitting-side data and theproviding-side data based on those determination results. In this case,the router 340 once converts the address attached to data that has beentransmitted to the video data providing unit 10 from the streamingserver 60, or the address attached to data that has been transmitted tothe streaming server 60 from the video data providing unit 10, into anaddress (hereafter, referred to as a common address), other than anaddress suitable for the providing-side ATM network 320 (hereafter,referred to as a providing-side ATM address) and an address suitable forthe transmitting-side ATM network 350 (hereafter, referred to as atransmitting-side ATM address), respectively. The controller 243 thenconverts the converted common addresses into a transmitting-side ATMaddress or a providing-side ATM address, respectively, and transferdata.

The database 344 comprises tables 344 a and 344 b. Tables 344 a and 344b store addresses given to each of the video data providing units 10 andthe streaming server 60. Furthermore, table 344 a stores the commonaddresses corresponding to the providing-side ATM addresses, which aregiven to each of the video data providing units 10 and the streamingserver 60. In addition, table 344 b stores the common addressescorresponding to the transmitting-side ATM addresses, which are given tothe streaming server 60 and each of the video data providing units 10.

FIG. 11 illustrates table 344 a, which the providing-side ATM address“abcd” is given to the video data providing unit 10 and correspondingcommon address is “1234”, and the common address of the streaming server60 is “5678” and corresponding providing-side ATM address is “efgh”. Inaddition, FIG. 11 illustrates table 344 b, which a transmitting-side ATMaddress “EFGH” is given to the streaming server 60 and correspondingcommon address is “5678”, and a common address of the video dataproviding unit 10 is “1234” and corresponding transmitting-side ATMaddress is “ABCD”.

When the controller 343 receives a packet including request data orinstruction data, which the router 340 has received as thetransmitting-side data, from the I/F 341, it then accesses table 344 band determines whether or not the source address attached to the requestdata or instruction data matches the transmitting-side ATM address ofthe streaming server 60 stored in the table 344 b. In the case of FIG.11, when the source address matches the transmitting-side ATM address ofthe streaming server 60 “efgh” stored in table 344 b, the controller 343determines that the transmitting-side data, such as request data orinstruction data, is data that has been transmitted from the streamingserver 60.

The controller 343 then accesses table 344 b and obtains the commonaddresses corresponding to the source address “EFGH” and the destinationaddress “ABCD” indicated by the transmitting-side ATM addresses. Thecontroller 343 once converts the source address “EFGH” indicated by thetransmitting-side ATM address into the obtained common address “5678”,and the destination address “ABCD” indicated by the transmitting-sideATM address into the obtained common address “1234”. The controller 343then accesses table 344 a and obtains providing-side ATM addressescorresponding to the source address “5678” and the destination address“1234”, which are indicated by the common addresses. The controller 343converts the source address “5678” indicated by the common address intothe obtained providing-side ATM address “efgh”, and converts thedestination address “1234” indicated by the common address into theobtained providing-side ATM address “abcd”. Finally, the controller 343inputs a packet including request data or instruction data, which hasthe converted source address and the converted destination address tothe I/F 342, and transfers the packet to the video data providing unit10 via the providing-side ATM network 320.

Similarly, when the controller 344 a receives a packet including videodata, which the router 340 has received as the providing-side data, fromthe I/F 342, it then accesses the table 344 a and determines whether ornot the source address attached to the video data is one of addresses ofthe video data providing units 10, which are indicated by theproviding-side ATM addresses and stored in table 344 a. In the case ofFIG. 11, when the source address matches the address of the video dataproviding unit 10 “abcd” stored in table 344 a, the controller 343determines that the video data being the providing-side data is datathat has been transmitted from the video data providing unit 10.

The controller 343 then accesses the table 344 a and obtains the commonaddresses corresponding to the source address “abcd” and the destinationaddress “efgh”, which are indicated by the providing-side ATM addresses.The controller 343 once converts the source address “abcd” indicated bythe providing-side ATM address into the obtained common address “1234”,and the destination address “efgh” indicated by the providing-side ATMaddress into the obtained common address “5678”.

The controller 343 then accesses the table 344 b and obtainstransmitting-side ATM addresses corresponding to the source address“1234” and the destination address “5678”, which are indicated by thecommon addresses. The controller 343 converts the source address “1234”indicated by the common address into the obtained transmitting-side ATMaddress “ABCD”, and the destination address “5678” indicated by thecommon address into the obtained transmitting-side ATM address “EFGH”.Finally, the controller 343 inputs a packet including video data, whichis attached the converted source address and the converted destinationaddress to the I/F 341, and transfers the packet to the streaming server60 via the transmitting-side ATM 350.

Note that when the source address attached to the transmitting-side datathat has been received by the router 340, does not match thetransmitting-side ATM address of the streaming server 60 stored in table344 b, the controller 343 does not transfer and discards the data.Similarly, when the source address attached to the providing-side datathat has been received by the router 340, does not match theproviding-side ATM addresses of the video data providing units 10 storedin table 344 a, the controller 343 does not transfer and discards thatdata.

Furthermore, the controller 343 stores a threshold value for the amountof video data from the video data providing unit 10 and for transfer atonce, as with the controller 43 shown in FIG. 3. The controller 343 thencompares the threshold value with the amount of video data received bythe router 340 via the providing-side ATM network 320, and controlstransfer of the transmitting-side data and the providing-side data basedon the comparison result, in the same manner as the controller 43 shownin FIG. 3. Otherwise, the controller 343 is substantially the same asthe controller 43 shown in FIG. 3.

According to the communication system 301 and router 340, almost thesame effects as those according to the communication system 1 and therouter 40 shown in FIG. 2 can be obtained. More specifically, the router340 converts the transmitting-side ATM address attached to request dataor instruction data transmitted to the video data providing unit 10 fromthe streaming server 60, into a common address, and converts theconverted common address into the providing-side ATM address. The router340 also converts the providing-side ATM address attached to video datatransmitted to the streaming server 60 from the video data providingunit 10, into the common address, and converts the converted commonaddress into the transmitting-side ATM address. Accordingly, a group ofthe video data providing unit 10 and the providing-side ATM network 220,and a group of the streaming server 60 and the transmitting-side ATMnetwork 350, may connect via the router 340 while maintaining their ownunique address architecture, respectively. As a result, since it isunnecessary for the communication system 301 to use the same addressarchitecture, the communication system 301 can be constructed at lowcost.

MODIFIED EXAMPLE

The present invention is not limited to the above-mentioned embodiments,and various modifications are possible. In the above-mentionedembodiments, the video data providing units 10, the video data providingunits (A) 10 a, and the video data providing units (B) 10 b, which areinformation providing unit, provide video data as information data;however, information data provided from the information providing unitis not limited to video data. The information providing unit mayprovide, for example, sound data, text data, and still image data as theinformation data.

In addition, when controlling transfer of data based on the comparisonresults between the threshold value and the amount of video datareceived by the router 40 via the providing-side VPN 20, the controller43 may transfer request data from the streaming server 60 to the videodata providing unit 10, and limit the transfer of video data obtainedfrom the video data providing unit 10. More specifically, when theamount of video data received by the router 40 via the providing-sideVPN 20 is less than the threshold value, the controller 43 transfers thevideo data obtained from the video data providing unit 10 to thestreaming server 60. Meanwhile, when the amount of video data receivedby the router 40 via the providing-side VPN 20 is more than or equal tothe threshold value, the controller 43 does not transfer the video dataobtained from that video data providing unit 10, in response to therequest data from the streaming server 60 for a new video data providingunit 10 that is not currently providing video data. Furthermore, thecontroller 43 notifies the video data providing unit 10 that video datatransfer has been rejected.

In this case, since video data in relation to the request data orinstruction data cannot be received after a specified period haselapsed, the streaming server 60 transmits the request data orinstruction data again. When video data in relation to there-transmitted request data or instruction data is not transmitted afteranother specified period has elapsed, the streaming server 60 determinesthat the network is currently congested, and thereby video data cannotbe provided. The streaming server 60 then notifies the mobile terminal70 that video data cannot be provided due to current network congestion.

In the communication systems 1, 201, and 301, shown in FIGS. 2, 8, and10, respectively, a plurality of groups of the transmitting-side VPNs 50and the streaming servers 60 or 260, or a plurality of groups of thetransmitting-side ATM networks 350 and the streaming servers 60 may beprovided, and in this case, the routers 40, 240, and 340 may be providedfor each of a plurality of transmitting-side VPNs 50 ortransmitting-side ATM networks-350. When there is a single streamingserver 6 or 260 as with the case of the communication systems 1, 201,and 301, a plurality of routers 40, 240, and 340 may be provided. In thecommunication system 201 shown in FIG. 8, the router 240 may be providedfor each of a plurality of providing-side VPNs (A) 20 a orproviding-side VPNs (B) 20 b. In addition, the communication system 301shown in FIG. 10 may also include a plurality of providing-side ATMnetworks 320, which are providing-side networks, as with thecommunication system 201 shown in FIG. 8.

Furthermore, in the communication system 201 shown in FIG. 8, theproviding-side VPN (A) 20 a and the providing-side VPN (B) 20 b mayconnect to a single network, and the providing-side VPN (A) 20 a and theproviding-side VPN (B) 30 b may connect to the router 240 via thatnetwork. For example, when there is an existing network in collectivehousing or a building with multiple tenants, a plurality ofproviding-side networks may connect to the existing network, and aplurality of providing-side networks may connect to the router via theexisting network. Accordingly, for example, when the transfer speed ofthe network connecting each of the providing-side networks is fasterthan the transfer speed of each providing-side network, each informationproviding unit may efficiently transmit information data with largecapacity such as video data, compared to the case of transmission viathe providing-side network. Note that in FIG. 10, an ATM exchangerhaving the function of router 340 may be provided at least one of withinthe both of providing-side ATM network 320 and the transmitting-side ATMnetwork 350, providing-side ATM network 320, or the transmitting-sideATM network 350.

INDUSTRIAL APPLICABILITY

As described above, the present invention can provide a communicationsystem, which has high security and can be constructed at low cost,where an information providing-side providing information data and aninformation transmitting-side transmitting the information data obtainedfrom the information providing-side to a terminal can maintain their ownunique security policy, and a transfer device used for the communicationsystem.

1. A communication system comprising: an information providing unitconfigured to provide information data; an information providing-sidenetwork configured to connect the information providing unit and berestricted access; an information transmitter configured to obtain theinformation data by transmitting request data for requesting theinformation data to the information providing unit, and transmitobtained information data to a terminal; an informationtransmitting-side network configured to connect the informationtransmitter and be restricted access; and a transfer unit configured toconnect the information transmitting-side network and the informationproviding-side network, determine whether or not transmitting-side datareceived via the information transmitting-side network is datatransmitted from the information transmitter, and whether or notproviding-side data received via the information providing-side networkis data transmitted from the information providing unit, and transferthe transmitting-side data and the providing-side data based ondetermination results.
 2. The communication system of claim 1, furthercomprising: a plurality of information providing-side networks, whereinthe transfer unit connects the information transmitting-side network andthe plurality of information providing-side networks.
 3. Thecommunication system of claim 1, wherein the transfer unit converts anaddress attached to data transmitted to the information providing unitfrom the information transmitter, into a providing-side address, andconverts an address attached to data transmitted to the informationtransmitter from the information providing unit, into atransmitting-side address.
 4. The communication system of claim 1,wherein the transfer unit converts an address attached to datatransmitted to the information providing unit from the informationtransmitter, into a common address, converts a converted common addressinto a providing-side address, converts an address attached to datatransmitted to the information transmitter from the informationproviding unit, into the common address, and converts a converted commonaddress into a transmitting-side address.
 5. The communication system ofclaim 1, wherein the transfer unit memorizes a threshold value for anamount of the information data from the information providing unit fortransfer at once, compares the threshold value with an amount of theinformation data received from the information providing unit via theinformation providing-side network, and controls transfer of thetransmitting-side data and the providing-side data based on a comparisonresult.
 6. The communication system of claim 1, wherein the informationdata is video data.
 7. The communication system of claim 1, wherein atleast one of the information providing-side network and the informationtransmitting-side network is a virtual private network.
 8. A transferdevice connects an information providing-side network connecting aninformation providing unit providing information data and beingrestricted access, and an information transmitting-side networkconnecting an information transmitter obtaining the information data bytransmitting request data for requesting the information data to theinformation providing unit and transmitting obtained information data toa terminal and being restricted access, determines whether or nottransmitting-side data received via the information transmitting-sidenetwork is data transmitted from the information transmitter, andwhether or not providing-side data received via the informationproviding-side network is data transmitted from the informationproviding unit, and transfers the transmitting-side data and theproviding-side data based on determination results.